Background to COVIDSafe

Overview


The Australian Government developed COVIDSafe to help keep the community safe from coronavirus (COVID-19). Together, let’s help stop the spread.

COVIDSafe uses Bluetooth® technology on your mobile phone to look for other devices with COVIDSafe installed. Your phone will take note of contact you’ve had with other users by securely logging their reference code. If you test positive for COVID-19:
COVIDSafe helps state and territory health officials to quickly contact people who may have been exposed to COVID-19.

As restrictions are lifted the app helps give us the confidence to know that the virus is not spreading silently in the community.

COVIDSafe supports the current manual process of finding people who have been in close contact with someone with COVID-19.

The more Australians connect to COVIDSafe, the quicker we can find the virus and prevent the spread.
COVIDSafe assists state and territory health officials to contact you if you have been in contact with someone with COVID-19. They tell you:
If you test positive for COVID-19, COVIDSafe helps state and territory health officials to notify people you’ve been in close contact with and advise them about self-quarantine and getting tested.

This will support current manual processes and make it quicker to stop the spread of the virus, particularly as restrictions are eased.
Using COVIDSafe means you can:
  • receive early notification from a state or territory health official that you may have been exposed to COVID-19
  • get tested promptly
  • go into quarantine to protect your health and the health of others

Without the help of technology, finding people who may have been exposed to the virus relies on people:
  • being able to recall everyone they have been in close contact with
  • knowing their contact details

In many cases, people won't know the names and contact details of everyone they’ve been in close contact with (for example, on public transport).

COVIDSafe uses technology to make this process faster and more accurate. We developed it to ensure your information and privacy are strictly protected.

State and territory health officials can only access close contact information from COVIDSafe if a user tests positive for COVID-19 and consents to this information being uploaded. This helps alert those who may need to be tested.

COVIDSafe will never track your location.
We regularly release COVIDSafe updates, which you can access via your phone’s app store or by allowing automatic updates.

COVIDSafe will have a defined end date. The Privacy Act 1988 as amended in 2020 (the Act) calls this the end of the COVIDSafe data period.

The Minister for Health will formally notify the end of the COVIDSafe app data period (section 94Y of the Act):
  • when the Minister is satisfied that COVIDSafe is no longer required or no longer likely to be effective in preventing or controlling COVID-19 in Australia
  • after consulting the Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee

The Act (section 94P) states that after the end of the COVIDSafe data period:
  • COVIDSafe must not be available for download
  • COVIDSafe app data must not be collected
  • COVIDSafe app data must be deleted
  • COVIDSafe users should be informed of the above and that they should delete COVIDSafe from their phone
You can use COVIDSafe campaign materials as long as you do not make any changes to the materials. If you have questions about these resources, please contact CoronaComms@health.gov.au

You can use images of the COVIDSafe app, including screenshots, for publications purposes provided you give attribution to the Department of Health.

You cannot use the Commonwealth coat of arms without written permission.
COVIDSafe is available in 6 languages:
  • English
  • Traditional Chinese
  • Simplified Chinese
  • Arabic
  • Vietnamese
  • Korean
  • Greek
  • Italian
  • Punjabu
  • Turkish

See how to use COVIDSafe in a language other than English.

Translated information about COVIDSafe is available for you to download and use:
The National Coronavirus Helpline can answer questions on COVIDSafe, including troubleshooting during installation, through the translating and interpreting service.

How COVIDSafe works


COVIDSafe operates on your phone as you go about your day. It securely logs the encrypted reference codes of devices of other COVIDSafe users who have been in close proximity to you.

You can voluntarily download the app from the Apple App Store or Google Play. You register to use the app by entering:
You will receive a confirmation text message to complete the installation. Based on this information, COVIDSafe generates an encrypted reference code for the app on that phone, which changes every week to make it more secure.

For COVIDSafe to work, it must be running in the background on your phone. Other apps can be used at the same time.

COVIDSafe uses Bluetooth® to look for other devices that have the app installed. It takes a note of a contact when it occurs, through a digital handshake. It securely logs the other user’s encrypted reference code and the date, time, Bluetooth® signal strength and proximity of the contact on the user’s phone, and notes the phone model. This information is then securely encrypted and stored on the phone.

COVIDSafe does not record your location.

COVIDSafe stores contacts on the phone for 21 days. This allows for the 14-day incubation period of the coronavirus, plus the time taken to confirm a positive test result. The rolling 21-day window allows COVIDSafe to continuously note only those user contacts that occur during the coronavirus incubation window. It automatically deletes contacts older than 21 days.

Nobody can access the encrypted information on your phone, including you. If you test positive for COVID-19, you will be asked to consent to upload your digital handshake information to the National COVIDSafe Data Store. The uploaded information enables state and territory health officials to call close contacts to advise them on what to do. State and territory health officials must undertake system training before they can access the National COVIDSafe Data Store.

This cycle continues if a COVIDSafe user who was a close contact later tests positive.
Anyone living in Australia who has a phone that meets the minimum requirements can download and use COVIDSafe. You need to be connected to Wi-Fi or mobile data to download the app, but Wi-Fi or mobile data are not needed for the app to run.

Some Australians in rural areas are experiencing difficulties downloading and installing COVIDSafe due to network coverage issues. We advise these people to download and register on the app over the mobile network the next time they are in a coverage area. This might be when they travel into town to purchase groceries or supplies. We have identified a potential solution and are working with the carrier to implement it. We will include the change in a future update.

COVIDSafe is available to:
  • users in Australia with Australian or non-Australian Apple App Store and Google Play Store accounts
  • people living in Australian External Territories like Norfolk Island
  • people with Australian or international mobile phone numbers

We want to make sure as many people living in Australia as possible can download and use COVIDSafe.

If you tested positive, isolated and recovered
If you have recovered from COVID-19, we still encourage you to use COVIDSafe. We encourage everyone living in Australia to use COVIDSafe regardless of their location or health status.
There is no extra risk of false positives with COVIDSafe. This is because state and territory health officials verify a person’s positive diagnosis before asking them to upload their digital handshake information.
If you test positive for COVID-19, a state or territory health official in your state or territory will contact you. You will be asked to voluntarily upload your digital handshake information to the secure server. The health official will give you a PIN for this upload.

This will help state or territory officials identify people who may have had close contact with you. Uploading your information is a crucial part of alerting others who may be at risk, and could save lives.

For information on what happens if one of your close contacts tests positive, see if a close contact tests positive.

If you refuse to upload information
You do not have to consent to share your COVIDSafe app information if you test positive for COVID-19. But remember that uploading your information could help save lives and keep others in the community safe.

State and territory health officials already require people who test positive for COVID-19 to provide information about their close contacts. COVIDSafe supports manual contact tracing processes. It can provide extra information of contacts that you may not know, such as the person sitting near you on public transport.

Whether or not you consent to the use of your COVIDSafe information, you will still have to go through the existing contact tracing process of recalling all your recent contacts and providing them to your state or territory health officials. The app adds to this process and makes it more effective.

COVIDSafe is community-driven. When app users who test positive for COVID-19 consent to upload their digital handshake information, it helps protect others in the community who have also been exposed.
Health officials will contact you or your parent/guardian/carer on the mobile number you registered with COVIDSafe to alert you to potential exposure if:
  • a person tests positive for COVID-19 and they are a COVIDSafe user
  • your device noted that you were in close proximity to them in the last 21 days

Health officials may discuss the suspected day and time of exposure with the close contact, as per their usual processes. They will not name the person who was infected.

If you believe you have come into contact with a person who has tested positive for COVID-19 but you haven't been contacted, contact your doctor to discuss this and how to get tested.

Close contact information is only available to state and territory health officials after:
  • a user is confirmed as COVID-19 positive
  • the user consents to securely upload the information stored on their phone

Officials will only call people who were close contacts within the 21 days before the information was uploaded. This early notification allows users to quickly get tested and go into quarantine.

Find out where you can get tested.
Follow the guidelines on quarantine.
State and territory health officials carry out contact tracing. COVIDSafe does not replace their usual contact tracing processes. It supports them.

Please contact the health department in your state or territory for information about their contact tracing processes, including how they support the Deaf community and people with differing communication needs.

The Australian Government website www.australia.gov.au has links to COVID-19 advice for all states and territories.

Close contact information


State and territory public health officials only have access to contact information for other COVIDSafe users who have been within approximately 1.5 metres for a period of 15 minutes or more.
When 2 or more app users come close to each other their phones exchange Bluetooth® signals and make a series of digital handshakes.

COVIDSafe notes the encrypted information held on your phone through the strength of Bluetooth® signals. Once the information is uploaded to the National COVIDSafe Data Store, it is then filtered so that state and territory health official can access close contacts.

The proximity for a close contact is approximately 1.5 metres, for a period of 15 minutes or more.

To be effective, COVIDSafe should be active on your phone whenever you are coming into contact with people.
COVIDSafe uses Bluetooth® received signal strength indicator (RSSI) values to measure the signal strength between devices. It uses the calibrated RSSI values to estimate the likelihood of a person being in close contact.

COVIDSafe collects data that is exchanged between users of the app at a series of intervals. In this way it estimates how long an encounter between 2 users lasted, to determine whether a user was probably exposed to COVID-19.
If a state or territory health official tells you that you are a close contact, they will not name the person who tested positive. This is the same as existing contact tracing processes.
The average incubation period for someone who contracts COVID-19 is typically 5 to 6 days. However, the World Health Organization (WHO) currently estimates that the incubation period can be up to 14 days. These estimates will be refined as more data becomes available.

COVIDSafe’s rolling 21-day window allows for the 14-day incubation period, plus the time taken to confirm a positive test result.

The rolling 21-day window allows the app to continuously monitor only those user contacts that occur during the coronavirus incubation window.

COVIDSafe automatically deletes contacts that occurred outside the 21-day window from the user’s phone.

Privacy and security


Downloading and using COVIDSafe is voluntary. The app has a range of privacy and security safeguards built in. It uses secure encryption and does not collect data on your location.

You can read an independently developed Privacy Impact Assessment detailing COVIDSafe’s compliance with the Privacy Act 1988 and Australian Privacy Principles. You can also read the Department of Health’s response to the assessment.
At registration, you provide a name (which does not have to be your real name), age range, phone number and postcode. The app generates an encrypted reference code for your mobile phone, which changes every week to make it more secure.

COVIDSafe needs a mobile number to activate an account and to allow state or territory health officials to contact you if they need to. The postcode you register with will help identify the relevant state or territory health authority to contact you.

A state or territory health official will contact you if:
  • you test positive for COVID-19 and you are a registered COVIDSafe user. The official will ask you to upload the digital handshake information stored on your device. This is voluntary.
  • you are a close contact of other COVIDSafe users who test positive for COVID-19.

The name you registered with will be used during the call to verify you are the owner of the mobile number.
COVIDSafe only collects the following information:
  • Registration information: name or pseudonym, mobile number, age range and post code. This becomes your encrypted reference code, and is stored in the National COVIDSafe Data Store.
  • Digital handshake information: encrypted reference code, date and time, Bluetooth® signal strength, and phone model. This is stored on your phone. If you test positive and upload your information to the National COVIDSafe Data Store, an algorithm uses the Bluetooth® signal strength to determine proximity and duration of contact with other COVIDSafe app users.

COVIDSafe does not collect information on your location or your movements.

COVIDSafe collects information needed for health officials to conduct contact tracing. This information is the encrypted reference code, date, time, duration and proximity of contacts, and phone model.

All digital handshake information COVIDSafe collects is encrypted and stored on the user’s phone. You cannot access this information stored on your phone.
If you delete the app from your phone, this will also delete all the digital handshake information from your phone.

Nobody can access the digital handshake information on your phone, unless you test positive for COVID-19 and you consent to upload the contact information to the National COVIDSafe Data Store.
COVIDSafe only collects information about interactions with other COVIDSafe users. COVIDSafe does not collect or use physical location data (for example, GPS, Wi-Fi fingerprinting and cell ID). It only notes proximity to another COVIDSafe user via Bluetooth®.

It does not record an individual’s location or movements. COVIDSafe only records that a close contact occurred to allow state or territory health officials to contact those users to enable them to quickly get tested and go into quarantine.

COVIDSafe cannot be used to enforce quarantine or isolation restrictions or any other laws.

Commonwealth and state or territory law enforcement agencies will not be allowed to access any information from the app, unless investigating misuse of that information itself.
COVIDSafe encrypts the name or pseudonym, verified mobile number, age range and postcode you registered on the National COVIDSafe Data Store, which is hosted in Australia.

The storage system is geo-locked, meaning nobody can take the information out of Australia.

COVIDSafe provides the information as an encrypted hash code. This is the only information shared with other users as part of the Bluetooth® digital handshake.

COVIDSafe stores the digital handshakes it collects on your phone. It encrypts this information and nobody can access or view it, including you.

COVIDSafe automatically deletes digital handshakes that are older than 21 days from your phone.

Digital handshake information only leaves your phone if you test positive for COVID-19 and consent to the upload.

If you consent, the information is then uploaded to the National COVIDSafe Data Store. Only authorised state and territory health officials can access contact information, and only after they have received system training. State and territory health officials can only view close contact information collected by people from their state or territory, who have tested positive for with COVID-19.

When accessing and using the uploaded information, health officials must comply with the obligations in part VIIIA of the Privacy Act 1988 and the Australian Privacy Principles. These regulate data protection and information security obligations. The information will only be used to alert individuals if they have come into contact with a person who has tested positive for COVID-19.
Using COVIDSafe is entirely voluntary, but it will help save lives.

COVIDSafe does not replace existing contact tracing processes conducted by state and territory public health authorities — it supports them. State and territory public health authorities will continue to ask people who are diagnosed with COVID-19 about their close contacts, whether they use COVIDSafe or not.

You can contact the health department in your state or territory for information about their existing processes. The Australian Government website www.australia.gov.au has links to COVID-19 advice for all of the states and territories.

It is against the law to require another person to download, or operate, the COVIDSafe app.

Downloading the COVIDSafe app is completely voluntary and cannot be forced upon anyone in any way. The Privacy Act 1988 provides for this. The Department of Health and the Prime Minister have also publicly reiterated this.

For this reason, nobody can give incentives for others to download COVIDSafe. They can only recommend and encourage it. The COVIDSafe privacy policy states “No user should feel pressured to install or continue to use COVIDSafe, or to agree to upload contact data to the data store”.

In particular, a person (including a business or company) cannot:
  • refuse entry into, or continue, a contract or arrangement with another person (including a contract of employment) if they don’t have the app
  • disadvantage an employee if they don’t have the app
  • refuse to allow another person to enter premises accessible to the public or that the other person has a right to enter if they don’t have the app
  • refuse to allow another person to participate in an activity if they don’t have the app
  • refuse to receive goods or services or insist on providing less money for the goods or services if someone doesn’t have the app
  • refuse to provide goods or services or insist on receiving more money for the goods or services if someone doesn’t have the app

For example, your employer must not require the download or use of the COVIDSafe app as part of your employment, or disadvantage you if you refuse to download the app. An operator of a business open to the public must not refuse entry to you just because you have not downloaded or are not using the app.

If someone tries to force you to use COVIDSafe
The COVIDSafe app enables faster and more comprehensive contact tracing for people exposed to COVID-19 and all Australians are encouraged to download it to help protect themselves, their family and community.

However it is voluntary and you cannot be told it is compulsory – regardless of your decision.

If your employer or anyone else purports to require you to download or use the COVIDSafe app, or upload your contact information, you can:
  1. Explain to the person who is telling you to download or use the app or upload your information that:
    • downloading or using the app or uploading information from the app is voluntary
    • the Privacy Act prohibits anyone making another person download or use the app or upload contact information from the app
    • in some circumstances this could amount to a criminal offence.
  2. Contact the National Coronavirus Helpline on 1800 020 080.

If you believe an offence under the Privacy Act has been committed, you can make a complaint to the Office of the Australian Information Commissioner, or the Australian Federal Police.

Penalty for forcing use
Contravening section 94H of the Privacy Act is a criminal offence punishable by a maximum sentence of 5 years’ imprisonment, or a fine.
Children can download and use the COVIDSafe app.

The Government expects parents, guardians and carers will provide the same care and guidance to their children with respect to the COVIDSafe app as they do when their children download any other app. It is important for parents to talk to their children about the app and how it works.

When a person under the age of 16 registers the app, it prompts them to confirm they have the consent of their parent, guardian or carer before they proceed.

If a child running COVIDSafe on their device tests positive for COVID-19, the relevant state or territory health official will seek the consent of the child’s parent, guardian or carer before the child's information is uploaded to the National COVIDSafe Data Store.

If a state or territory health official contacts a child because they have been in contact with someone who has tested positive for COVID-19, they will ask to speak to the child’s parent, guardian or carer. They will then provide the necessary information and advice.
The Privacy Amendment (Public Health Contact Information) Act 2020 amends the Privacy Act (the Act) to provide stronger privacy protections for COVIDSafe app data. COVIDSafe app data can only be used for specific purposes, and only to the extent required for those purposes.

Under the Act, COVIDSafe app data can only be collected, used or disclosed for the purposes of:
  • state and territory health authorities undertaking contact tracing.
  • the Digital Transformation Agency (as the data store administrator):
    • enabling contact tracing by state and territory health authorities.
    • ensuring the proper functioning, integrity or security of the COVIDSafe app or National COVIDSafe Data Store.
    • using COVIDSafe app data to produce de-identified statistical information about the total number of registrations through the COVIDSafe app.
    • using COVIDSafe app data to confirm the correct data is being deleted, if a request has been made to delete the data.
  • the Australian Information Commissioner performing functions or exercising powers under the Act.
  • investigating or prosecuting a breach of the privacy protections under the Act.

The Act also:
  • prohibits anyone from requiring a person to download or use the COVIDSafe app. For example, an employer cannot make downloading or using the COVIDSafe app a condition of employment.
  • states the data held in the National COVIDSafe Data Store and COVIDSafe app data must be kept in Australia.
  • requires that the data store administrator delete all COVIDSafe app data held in the National COVIDSafe Data Store when the COVIDSafe app is no longer required, or is no longer likely to be effective as part of Australia’s response to COVID-19. The Minister for Health must determine this following consultation with the Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee.

Law enforcement agencies or the Australian Information Commissioner can only access COVIDSafe app data to enforce these privacy protections. They cannot use it for any other purpose.

If you think your privacy has been breached, you can make a complaint to the Office of the Australian Information Commissioner or the Australian Federal Police.
Protecting the privacy of Australians downloading and using COVIDSafe is a top priority.

Strong cyber security principles underpin COVIDSafe’s security design to ensure that your information remains safe. Cyber security experts independently assured these security controls throughout COVIDSafe’s development.

COVIDSafe uses Bluetooth® technology on mobile phones to perform a digital handshake. This records close contact with another user who also has the COVIDSafe app installed. The Bluetooth® technology COVIDSafe uses is similar to that used when pairing with other Bluetooth®-enabled devices like headphones or smartwatches.

Your phone’s operating system has device-level security controls to keep your information safe. Please keep your smartphone software up to date to ensure you have the latest security controls installed.

All information that COVIDSafe stores (both on your phone and in the National COVIDSafe Data Store) is encrypted. This provides extra cyber security protection of your information.

We will continue to work with government security agencies, tech experts and the community to maintain and strengthen COVIDSafe’s already strong security.

Other COVID-19 mobile services from Government


COVIDSafe is a separate app to the other Australian Government coronavirus apps. Its sole purpose is to improve the ability of state and territory health officials to quickly alert and contain COVID-19 outbreaks in the community.

COVIDSafe is an Australian Government initiative. Contact us if you need assistance: support@covidsafe.gov.au
Coronavirus Australia is an information service. The Government developed it to ensure the community has access to timely and accurate information about COVID-19.

Coronavirus Australia provides:
  • up-to-date information and advice on the virus and Australia’s efforts to combat it
  • a snapshot of the current official COVID-19 status in Australia
  • links to allow users to check symptoms if they are concerned about themselves or others
  • relevant contact information
  • notifications of urgent updates
The Australian Government WhatsApp channel for COVID-19 is another way people can access information about COVID-19.
COVIDSafe is the only contact app that has been developed by the Australian Government Department of Health to ensure your information and privacy are protected.

Other contact apps do not have the support of the Australian Government.

Amazon Web Services (AWS)


Amazon Web Services (AWS) has a contract with the Australian Government to provide a secure protected-level cloud service for the storage of encrypted information. Information is uploaded to this storage system once a COVIDSafe user has tested positive for COVID-19 and agreed to the information from the app on their phone being used.

Under the contract, AWS has no access to the encrypted information from COVIDSafe.
The Australian Government’s Digital Transformation Agency (DTA) had existing contracts with Amazon Web Services (AWS). The DTA made the COVIDSafe contract as a Statement of Work under the Amazon Web Services (AWS) Whole of Government Arrangement – Standing Offer. The Commonwealth Procurement Rules allow a limited tender when there is:
  • genuine urgency (rule 10.3.b)
  • continuation of an existing agreement (rule 10.3.e)

The Statement of Work (ID number E104752985) requires AWS to provide:
  • Activity 1 — AWS Platform Design and Build
  • Activity 2 — AWS Mobile Web App Build
  • Activity 3 — AWS Admin App Build
  • Activity 4 — AWS Project Control

Using AWS provided the DTA with hosting, development, and operational support services for COVIDSafe and the National COVIDSafe Data Store. Splitting work packages into parts would have introduced more risk and complexity to the COVIDSafe system.

A change in supplier arrangements would have had risks the DTA could not accept:
  • the app may not have been delivered on time
  • the cost would likely be higher, as the work already done by AWS may not have been transferrable to another supplier

The contract between the Commonwealth and AWS specifies:
  • the National COVIDSafe data storage system must use protected certified cloud services
  • data held in the National COVIDSafe data storage system must be located in Australia

While AWS host the data storage system, they do not have access to the National COVIDSafe Data Store.
It is a criminal offence to:
  • hold COVIDSafe app information on a database outside Australia
  • disclose COVIDSafe app information to a person in any country other than Australia
  • use the information for any purpose other than state or territory public health officials undertaking contact tracing

The Australian Government already uses AWS for many other purposes and requires them to keep Australian data in Australia.

More help for COVIDSafe


Read Help topics for more information, including: